Configuring an Object ACL (SDK for Node.js)

If you have any questions during development, post them on the Issues page of GitHub.

Function

OBS allows you to control access to objects. By default, only object creators have the read and write permissions on the object. However, the creator can set a public access policy to assign the read permission to all other users. If an object is encrypted with SSE-KMS, the ACL configured for it is not in effect in the cross-tenant case.

You can set an ACL when uploading an object or call an ACL API to modify or obtain the ACL of an existing object.

Like bucket access (for details, see Configuring a Bucket ACL (SDK for Node.js)), object access supports pre-defined ACLs and direct access configurations.

An object ACL can be configured in any of the following ways:

Specify a pre-defined ACL during object upload. For details, see Code Examples: Specifying a Pre-defined ACL During Object Creation.
Call ObsClient.setObjectAcl to specify a pre-defined ACL. For details, see Code Examples: Specifying a Pre-defined ACL for an Existing Object.
Call ObsClient.setObjectAcl to specify an ACL directly. For details, see Code Examples: Granting Object Permissions.

Restrictions

To configure an object ACL, you must be the bucket owner or have the required permission (obs:object:PutObjectAcl in IAM or PutObjectAcl in a bucket policy). For details, see Introduction to OBS Access Control, IAM Custom Policies, and Configuring an Object Policy.
To learn about the mappings between OBS regions and endpoints, see Regions and Endpoints.
An object ACL supports a maximum of 100 Grants.

Method

ObsClient.setObjectAcl(params)

Request Parameters

**Table 1** List of request parameters
Parameter	Type	Mandatory (Yes/No)	Description
Bucket	string	Yes	Explanation: Bucket name Restrictions: A bucket name must be unique across all accounts and regions. A bucket name: Must be 3 to 63 characters long and start with a digit or letter. Lowercase letters, digits, hyphens (-), and periods (.) are allowed. Cannot be formatted as an IP address. Cannot start or end with a hyphen (-) or period (.). Cannot contain two consecutive periods (..), for example, my..bucket. Cannot contain a period (.) and a hyphen (-) adjacent to each other, for example, my-.bucket or my.-bucket. If you repeatedly create buckets with the same name in the same region, no error will be reported, and the bucket attributes comply with those set in the first creation request. Value range: The value can contain 3 to 63 characters. Default value: None
Key	string	Yes	Explanation: Object name. An object is uniquely identified by an object name in a bucket. An object name is a complete path of the object that does not contain the bucket name. For example, if the address for accessing the object is examplebucket.obs.ap-southeast-1.myhuaweicloud.com/folder/test.txt, the object name is folder/test.txt. Restrictions: None Value range: The value can contain 1 to 1,024 characters. Default value: None
VersionId	string	No	Explanation: Object version ID, for example, G001117FCE89978B0000401205D5DC9A Restrictions: None Value range: The value must contain 32 characters. Default value: None
ACL	AclType	No	Explanation: Pre-defined ACL Restrictions: You must specify either ACL or the combination of Owner and Grants. Value range: See Table 2. Default value: None
Owner	Owner	No	Explanation: Bucket owner Restrictions: Owner and Grants must be used together, and they cannot be used with ACL. You must specify either ACL or the combination of Owner and Grants. Value range: See Table 3. Default value: None
Delivered	boolean	No	Explanation: Whether the ACL of the bucket applies to its objects Value range: true: The ACL of the bucket applies to its objects. false: The ACL of the bucket does not apply to its objects. Default value: None
Grants	Grant[]	No	Explanation: Grantees and permissions Restrictions: Owner and Grants must be used together, and they cannot be used with ACL. You must specify either ACL or the combination of Owner and Grants. Value range: See Table 4. Default value: None

**Table 2** AclType
Constant	Default Value	Description
ObsClient.enums.AclPrivate	private	Private read and write A bucket or object can only be accessed by its owner.
ObsClient.enums.AclPublicRead	public-read	Public read and private write If this permission is granted on a bucket, anyone can read the object list, multipart uploads, metadata, and object versions in the bucket. If this permission is granted on an object, everyone can obtain the content and metadata of the object.
ObsClient.enums.AclPublicReadWrite	public-read-write	Public read and write If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions in the bucket and can upload or delete objects, initiate multipart upload tasks, upload parts, assemble parts, copy parts, and abort multipart upload tasks. If this permission is granted on an object, everyone can obtain the content and metadata of the object.
ObsClient.enums.AclPublicReadDelivered	public-read-delivered	Public read on a bucket as well as the objects in the bucket. If this permission is granted on a bucket, anyone can read the object list, multipart tasks, metadata, and object versions and read the content and metadata of objects in the bucket. NOTE: AclPublicReadDelivered does not apply to objects.
ObsClient.enums.AclPublicReadWriteDelivered	public-read-write-delivered	Public read and write on a bucket as well as the objects in the bucket. If this permission is granted on a bucket, anyone can read the object list, multipart uploads, metadata, and object versions in the bucket and can upload or delete objects, initiate multipart upload tasks, upload parts, assemble parts, copy parts, and abort multipart uploads. They can also read the content and metadata of objects in the bucket. NOTE: AclPublicReadWriteDelivered does not apply to objects.
ObsClient.enums.AclBucketOwnerFullControl	bucket-owner-full-control	If this permission is granted on an object, only the bucket and object owners have the full control over the object. By default, if you upload an object to a bucket of any other user, the bucket owner does not have the permissions on your object. After you grant this policy to the bucket owner, the bucket owner can have full control over your object. For example, if user A uploads object x to user B's bucket, user B does not have the control over object x. If user A sets the bucket-owner-full-control policy for object x, user B then has the control over object x.

**Table 3** Owner
Parameter	Type	Mandatory (Yes/No)	Description
ID	string	Yes if used as a request parameter	Explanation: Account (domain) ID of the owner Value range: To obtain the account ID, see How Do I Get My Account ID and User ID? (SDK for Node.js) Default value: None
DisplayName	string	No	Explanation: Account name of the owner Default value: None

**Table 4** Grant
Parameter	Type	Mandatory (Yes/No)	Description
Grantee	Grantee	Yes if used as a request parameter	Explanation: Grantee information. For details, see Table 5.
Permission	PermissionType	Yes if used as a request parameter	Explanation: Granted permission Value range: See Table 8. Default value: None

**Table 5** Grantee
Parameter	Type	Mandatory (Yes/No)	Description
Type	string	Yes if used as a request parameter	Explanation: Grantee type Value range: See Table 6. Default value: None
ID	string	Yes if this parameter is used as a request parameter and Type is set to a user	Explanation: Account (domain) ID of the grantee. Value range: To obtain the account ID, see How Do I Get My Account ID and User ID? (SDK for Node.js) Default value: None
Name	string	No if used as a request parameter	Explanation: Account name of the grantee. Restrictions: The account name cannot contain full-width characters. The account name starts with a letter. The account name contains 6 to 32 characters. The account name contains only letters, digits, hyphens (-), or underscores (_). Default value: None
URI	GroupUriType	Yes if this parameter is used as a request parameter and Type is set to a group	Explanation: Authorized user group Value range: See Table 7. Default value: None

**Table 6** GranteeType
Constant	Description
Group	Grants permissions to user groups.
CanonicalUser	Grants permissions to individual users.

**Table 7** GroupUriType
Constant	Default Value	Description
ObsClient.enums.GroupAllUsers	AllUsers	All users.
ObsClient.enums.GroupAuthenticatedUsers	AuthenticatedUsers	Authorized users. This constant is deprecated.
ObsClient.enums.GroupLogDelivery	LogDelivery	Log delivery group. This constant is deprecated.

**Table 8** PermissionType
Constant	Default Value	Description
ObsClient.enums.PermissionRead	READ	A grantee with this permission for a bucket can obtain the list of objects, multipart uploads, bucket metadata, and object versions in the bucket. A grantee with this permission for an object can obtain the object content and metadata.
ObsClient.enums.PermissionWrite	WRITE	A grantee with this permission for a bucket can upload, overwrite, and delete any object or part in the bucket. This permission is not applicable to objects.
ObsClient.enums.PermissionReadAcp	READ_ACP	A grantee with this permission can obtain the ACL of a bucket or object. A bucket or object owner has this permission for their bucket or object by default.
ObsClient.enums.PermissionWriteAcp	WRITE_ACP	A grantee with this permission can update the ACL of a bucket or object. A bucket or object owner has this permission for their bucket or object by default. This permission allows the grantee to change the access control policies, meaning the grantee has full control over a bucket or object.
ObsClient.enums.PermissionFullControl	FULL_CONTROL	A grantee with this permission for a bucket has PermissionRead, PermissionWrite, PermissionReadAcp, and PermissionWriteAcp permissions for the bucket. A grantee with this permission for an object has PermissionRead, PermissionReadAcp, and PermissionWriteAcp permissions for the object.

Responses

**Table 9** Responses
Type	Description
Table 10 NOTE: This API returns a Promise response, which requires the Promise or async/await syntax.	Explanation: Returned results. For details, see Table 10.

**Table 10** Response
Parameter	Type	Description
CommonMsg	ICommonMsg	Explanation: Common information generated after an API call is complete, including the HTTP status code and error code. For details, see Table 11.
InterfaceResult	Table 12	Explanation: Results outputted for a successful call. For details, see Table 12. Restrictions: This parameter is not included if the value of Status is greater than 300.

**Table 11** ICommonMsg
Parameter	Type	Description
Status	number	Explanation: HTTP status code returned by the OBS server. Value range: A status code is a group of digits indicating the status of a response. It ranges from 2xx (indicating successes) to 4xx or 5xx (indicating errors). For details, see Status Codes.
Code	string	Explanation: Error code returned by the OBS server.
Message	string	Explanation: Error description returned by the OBS server.
HostId	string	Explanation: Request server ID returned by the OBS server.
RequestId	string	Explanation: Request ID returned by the OBS server.
Id2	string	Explanation: Request ID2 returned by the OBS server.
Indicator	string	Explanation: Error code details returned by the OBS server.

**Table 12** BaseResponseOutput
Parameter	Type	Description
RequestId	string	Explanation: Request ID returned by the OBS server

Code Examples: Specifying a Pre-defined ACL During Object Creation

Sample code:

// Import the OBS library.
// Use npm to install the client.
const ObsClient = require("esdk-obs-nodejs");
// Use the source code to install the client.
// var ObsClient = require('./lib/obs');

// Create an ObsClient instance.
const obsClient = new ObsClient({
  // Obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways. Using hard coding may result in leakage.
  // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
  access_key_id: process.env.ACCESS_KEY_ID,
  secret_access_key: process.env.SECRET_ACCESS_KEY,
  // (Optional) If you use a temporary AK/SK pair and a security token to access OBS, you are advised not to use hard coding, which may result in information leakage. You can obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways.
  // security_token: process.env.SECURITY_TOKEN,
  // Enter the endpoint corresponding to the region where the bucket is located. CN-Hong Kong is used here as an example. Replace it with the one currently in use.
  server: "https://obs.ap-southeast-1.myhuaweicloud.com"
});

async function putObject() {
  try {
    const params = {
      // Specify the bucket name.
      Bucket: "examplebucket",
      // Specify the object. example/objectname is used in this example.
      Key: "example/objectname",
      // Specify a text object.
      Body : 'Hello OBS',
      // Set the object ACL to public-read.
      ACL : obsClient.enums.AclPublicRead
    };
    // Upload the object.
    const result = await obsClient.putObject(params);
    if (result.CommonMsg.Status <= 300) {
      console.log("Put object(%s) under the bucket(%s) successful!!", params.Key, params.Bucket);
      console.log("RequestId: %s", result.CommonMsg.RequestId);
      console.log("StorageClass:%s, ETag:%s", result.InterfaceResult.StorageClass, result.InterfaceResult.ETag);
      return;
    };
    console.log("An ObsError was found, which means your request sent to OBS was rejected with an error response.");
    console.log("Status: %d", result.CommonMsg.Status);
    console.log("Code: %s", result.CommonMsg.Code);
    console.log("Message: %s", result.CommonMsg.Message);
    console.log("RequestId: %s", result.CommonMsg.RequestId);
  } catch (error) {
    console.log("An Exception was found, which means the client encountered an internal problem when attempting to communicate with OBS, for example, the client was unable to access the network.");
    console.log(error);
  };
};

putObject();

Code Examples: Specifying a Pre-defined ACL for an Existing Object

Sample code:

    
     
       
       
         // Import the OBS library.
// Use npm to install the client.
const ObsClient = require("esdk-obs-nodejs");
// Use the source code to install the client.
// var ObsClient = require('./lib/obs');

// Create an instance of ObsClient.
const obsClient = new ObsClient({
  // Obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways. Using hard coding may result in leakage.
  // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
  access_key_id: process.env.ACCESS_KEY_ID,
  secret_access_key: process.env.SECRET_ACCESS_KEY,
  // (Optional) If you use a temporary AK/SK pair and a security token to access OBS, you are advised not to use hard coding, which may result in information leakage. You can obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways.
  // security_token: process.env.SECURITY_TOKEN,
  // Enter the endpoint corresponding to the region where the bucket is located. CN-Hong Kong is used here in this example. Replace it with the one currently in use.
  server: "https://obs.ap-southeast-1.myhuaweicloud.com"
});

async function setObjectAcl() {
  try {
    const params = {
      // Specify the bucket name.
      Bucket: "examplebucket",
      // Specify an object. example/objectname is used in this example.
      Key: "example/objectname",
      // Specify the ACL to make the object private.
      ACL : obsClient.enums.AclPrivate
    };
    // Set the object ACL.
    const result = await obsClient.setObjectAcl(params);
    if (result.CommonMsg.Status <= 300) {
      console.log("Set Object(%s)'s acl successful with Bucket(%s)!", params.Key, params.Bucket);
      console.log("RequestId: %s", result.CommonMsg.RequestId);
      return;
    };
    console.log("An ObsError was found, which means your request sent to OBS was rejected with an error response.");
    console.log("Status: %d", result.CommonMsg.Status);
    console.log("Code: %s", result.CommonMsg.Code);
    console.log("Message: %s", result.CommonMsg.Message);
    console.log("RequestId: %s", result.CommonMsg.RequestId);
  } catch (error) {
    console.log("An Exception was found, which means the client encountered an internal problem when attempting to communicate with OBS, for example, the client was unable to access the network.");
    console.log(error);
  };
};

setObjectAcl();

        

      

    
   

Code Examples: Granting Object Permissions

Sample code:

    
     
       
       
         // Import the OBS library.
// Use npm to install the client.
const ObsClient = require("esdk-obs-nodejs");
// Use the source code to install the client.
// var ObsClient = require('./lib/obs');

// Create an instance of ObsClient.
const obsClient = new ObsClient({
  // Obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways. Using hard coding may result in leakage.
  // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
  access_key_id: process.env.ACCESS_KEY_ID,
  secret_access_key: process.env.SECRET_ACCESS_KEY,
  // (Optional) If you use a temporary AK/SK pair and a security token to access OBS, you are advised not to use hard coding, which may result in information leakage. You can obtain an AK/SK pair using environment variables or import an AK/SK pair in other ways.
  // security_token: process.env.SECURITY_TOKEN,
  // Enter the endpoint corresponding to the region where the bucket is located. CN-Hong Kong is used here in this example. Replace it with the one currently in use.
  server: "https://obs.ap-southeast-1.myhuaweicloud.com"
});

async function setObjectAcl() {
  try {
    const params = {
      // Specify the bucket name.
      Bucket: "examplebucket",
      // Specify an object. example/objectname is used in this example.
      Key: "example/objectname",
      // Specify the version ID of the object.
      VersionId: 'G001117FCE89978B0000401205D5DC9A'
      // Specify the owner of the object.
      Owner: { 'ID': 'ownerid' },
// Specify the information about the authorized user.
      Grants: [
        // Grant the write permission to a specified user (0a03f5833900d3730f13c00f49d5exxx in this example).
        { Grantee: { Type: 'CanonicalUser', ID: '0a03f5833900d3730f13c00f49d5exxx' }, Permission: obsClient.enums.PermissionWrite },
        // Grant the read permission to all users.
        { Grantee: { Type: 'Group', URI: obsClient.enums.GroupAllUsers }, Permission: obsClient.enums.PermissionRead },
      ]
    };
    // Set the ACL.
    const result = await obsClient.setObjectAcl(params);
    if (result.CommonMsg.Status <= 300) {
      console.log("Set Object(%s)'s acl successful with Bucket(%s)!", params.Key, params.Bucket);
      console.log("RequestId: %s", result.CommonMsg.RequestId);
      return;
    };
    console.log("An ObsError was found, which means your request sent to OBS was rejected with an error response.");
    console.log("Status: %d", result.CommonMsg.Status);
    console.log("Code: %s", result.CommonMsg.Code);
    console.log("Message: %s", result.CommonMsg.Message);
    console.log("RequestId: %s", result.CommonMsg.RequestId);
  } catch (error) {
    console.log("An Exception was found, which means the client encountered an internal problem when attempting to communicate with OBS, for example, the client was unable to access the network.");
    console.log(error);
  };
};

setObjectAcl();

        

      

    
   